client certificate validation issue - wcf

I am using client authentication certificate in WCF to authentication. Few days back certificate was expired and I have replaced with new certificate which is valid till June, 2023. Now when client sends request, we are getting HTTP 403.17 error. Till now I have verified server date time, client certificate validity period and also certificate chain is also okay. But Thawte timetimestamping CA certificate has expired.
Why it is checking Thawte timestamping Ca certification while client authentication.
However I am getting following error in CAPI2 event error:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-CAPI2" Guid="{5bbca4a8-b209-48dc-a8c7-b23d3e5216fb}" />
<EventID>11</EventID>
<Version>0</Version>
<Level>2</Level>
<Task>11</Task>
<Opcode>2</Opcode>
<Keywords>0x4000000000000003</Keywords>
<TimeCreated SystemTime="2022-06-21T11:51:23.8680476Z" />
<EventRecordID>390727</EventRecordID>
<Correlation />
<Execution ProcessID="1272" ThreadID="5772" />
<Channel>Microsoft-Windows-CAPI2/Operational</Channel>
<Computer>computername</Computer>
<Security UserID="S-1-5-21-1975142630-593601476-67129519-2203" />
</System>
<UserData>
<CertGetCertificateChain>
<Certificate fileRef="BE36A4562FB2EE05DBB3D32323ADF445084ED656.cer" subjectName="Thawte Timestamping CA" />
<ValidationTime>2022-06-21T11:51:23.855Z</ValidationTime>
<AdditionalStore>
<Certificate fileRef="FA950CCCBC6D0829A61E348940CD341289FE9110.cer" subjectName="clientcertificatename" />
<EventOverflow objectCount="63" />
</AdditionalStore>
<ExtendedKeyUsage />
<Flags value="0" />
<ChainEngineInfo context="user" />
<CertificateChain chainRef="{A83662A4-B156-4C84-B013-7D16532E2421}">
<TrustStatus>
<ErrorStatus value="1" CERT_TRUST_IS_NOT_TIME_VALID="true" />
<InfoStatus value="100" CERT_TRUST_HAS_PREFERRED_ISSUER="true" />
</TrustStatus>
<ChainElement>
<Certificate fileRef="BE36A4562FB2EE05DBB3D32323ADF445084ED656.cer" subjectName="Thawte Timestamping CA" />
<SignatureAlgorithm oid="1.2.840.113549.1.1.4" hashName="MD5" publicKeyName="RSA" />
<PublicKeyAlgorithm oid="1.2.840.113549.1.1.1" publicKeyName="RSA" publicKeyLength="1024" />
<TrustStatus>
<ErrorStatus value="1" CERT_TRUST_IS_NOT_TIME_VALID="true" />
<InfoStatus value="10C" CERT_TRUST_HAS_NAME_MATCH_ISSUER="true" CERT_TRUST_IS_SELF_SIGNED="true" CERT_TRUST_HAS_PREFERRED_ISSUER="true" />
</TrustStatus>
<ApplicationUsage>
<Usage oid="1.3.6.1.5.5.7.3.8" name="Time Stamping" />
</ApplicationUsage>
<IssuanceUsage any="true" />
</ChainElement>
</CertificateChain>
<EventAuxInfo ProcessName="mmc.exe" />
<CorrelationAuxInfo TaskId="{207DA728-B37D-4ACF-94BB-CCE69CB01B8E}" SeqNumber="3" />
<Result value="800B0101">A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file.</Result>
</CertGetCertificateChain>
</UserData>
</Event>
Could you please help me to fix this issue.
Best Regards

Related

Custom claim returned from API not included on sign up login but is included on second login

I have created a custom policy that sends some of the user input during sign up to my custom API for validation. If the data validates properly the API returns a custom claim value to be populated in the user.
During a local account sign up this works great and the custom claim that came from the API is returned in the token on the initial login during the sign up.
However during a signup with Google as the IDP, while the claim is populated properly (if I check via GraphAPI) it is not returned in the token on the initial sign up login, only on subsequent logins.
Below is my claim provider to call the API for validation.
<ClaimsProvider>
<DisplayName>Call Validation API</DisplayName>
<TechnicalProfiles>
<TechnicalProfile Id="REST-ValidateUserData">
<DisplayName>Check Input Data</DisplayName>
<Protocol Name="Proprietary" Handler="Web.TPEngine.Providers.RestfulProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null" />
<Metadata>
<!-- Set the ServiceUrl with your own REST API endpoint -->
<Item Key="ServiceUrl">https://APIGOESHERE
<Item Key="SendClaimsIn">Body</Item>
<!-- Set AuthenticationType to Basic or ClientCertificate in production environments -->
<Item Key="AuthenticationType">Basic</Item>
<!-- REMOVE the following line in production environments -->
<Item Key="AllowInsecureAuthInProduction">false</Item>
</Metadata>
<CryptographicKeys>
<Key Id="BasicAuthenticationUsername" StorageReferenceId="B2C_1A_RestApiUsername" />
<Key Id="BasicAuthenticationPassword" StorageReferenceId="B2C_1A_RestApiPassword" />
</CryptographicKeys>
<InputClaims>
<!-- Claims sent to your REST API -->
<InputClaim ClaimTypeReferenceId="extension_studentNumber" />
<InputClaim ClaimTypeReferenceId="extension_dateOfBirth" />
<InputClaim ClaimTypeReferenceId="extension_postalCode"/>
</InputClaims>
<OutputClaims>
<!-- Claims parsed from your REST API -->
<OutputClaim ClaimTypeReferenceId="extension_OPRID" />
</OutputClaims>
<UseTechnicalProfileForSessionManagement ReferenceId="SM-Noop" />
</TechnicalProfile>
</TechnicalProfiles>
</ClaimsProvider>
Below is my Relying party in the SignUporSignIn custom policy.
<RelyingParty>
<DefaultUserJourney ReferenceId="CustomSignUpSignIn" />
<TechnicalProfile Id="PolicyProfile">
<DisplayName>PolicyProfile</DisplayName>
<Protocol Name="OpenIdConnect" />
<OutputClaims>
<OutputClaim ClaimTypeReferenceId="displayName" />
<OutputClaim ClaimTypeReferenceId="givenName" />
<OutputClaim ClaimTypeReferenceId="surname" />
<OutputClaim ClaimTypeReferenceId="email" />
<OutputClaim ClaimTypeReferenceId="objectId" PartnerClaimType="sub"/>
<OutputClaim ClaimTypeReferenceId="identityProvider" />
<OutputClaim ClaimTypeReferenceId="tenantId" AlwaysUseDefaultValue="true" DefaultValue="{Policy:TenantObjectId}" />
<OutputClaim ClaimTypeReferenceId="extension_dateOfBirth"/>
<OutputClaim ClaimTypeReferenceId="extension_postalCode"/>
<OutputClaim ClaimTypeReferenceId="extension_studentNumber"/>
<OutputClaim ClaimTypeReferenceId="extension_OPRID"/>
</OutputClaims>
<SubjectNamingInfo ClaimType="sub" />
</TechnicalProfile>

Azure B2C OTP UI Elements: UserMessageIfVerificationFailedRetryAllowed not working

I have set the OTP user messages using localization. UserMessageIfInvalidCode is working but UserMessageIfVerificationFailedRetryAllowed is not working. I have the retry count set to 5, however it's only the UserMessageIfInvalidCode that shows when the message is invalid. Not sure what I am missing :
<ContentDefinitions>
<ContentDefinition Id="content.phone.verify">
<LoadUri>~/tenant/templates/AzureBlue/selfAsserted.cshtml</LoadUri>
<RecoveryUri>~/common/default_page_error.html</RecoveryUri>
<DataUri>urn:com:microsoft:aad:b2c:elements:contract:selfasserted:2.1.4</DataUri>
<LocalizedResourcesReferences MergeBehavior="Prepend">
<LocalizedResourcesReference Language="en" LocalizedResourcesReferenceId="content.phone.verify.en" />
</LocalizedResourcesReferences>
</ContentDefinition>
</ContentDefinitions>
<Localization Enabled="true">
<SupportedLanguages DefaultLanguage="en" MergeBehavior="ReplaceAll">
<SupportedLanguage>en</SupportedLanguage>
</SupportedLanguages>
<LocalizedResources Id="content.phone.verify.en">
<LocalizedStrings>
<LocalizedString ElementType="ErrorMessage" StringId="UserMessageIfSessionDoesNotExist">Your code has expired, please request a new one.</LocalizedString>
<LocalizedString ElementType="ErrorMessage" StringId="UserMessageIfMaxRetryAttempted">You have exceeded the number of retries allowed.</LocalizedString>
<LocalizedString ElementType="ErrorMessage" StringId="UserMessageIfMaxNumberOfCodeGenerated">You have exceeded the number of code generation attempts allowed.</LocalizedString>
<LocalizedString ElementType="ErrorMessage" StringId="UserMessageIfInvalidCode">TEST You have entered the wrong code.</LocalizedString>
<LocalizedString ElementType="ErrorMessage" StringId="UserMessageIfSessionConflict">Cannot verify the code, please try again later.</LocalizedString>
<LocalizedString ElementType="ErrorMessage" StringId="UserMessageIfVerificationFailedRetryAllowed">That code is incorrect, please try again.</LocalizedString>
</LocalizedStrings>
</LocalizedResources>
</Localization>
<TechnicalProfile Id="SelfAsserted-mfa">
<DisplayName>MFA</DisplayName>
<Protocol Name="Proprietary" Handler="Web.TPEngine.Providers.SelfAssertedAttributeProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null" />
<Metadata>
<Item Key="ContentDefinitionReferenceId">content.phone.verify</Item>
<Item Key="setting.inputVerificationDelayTimeInMilliseconds">500</Item>
</Metadata>
<IncludeInSso>false</IncludeInSso>
<InputClaimsTransformations>
<InputClaimsTransformation ReferenceId="CreatePhoneNumberList" />
</InputClaimsTransformations>
<InputClaims>
<InputClaim ClaimTypeReferenceId="phoneNumberString" />
</InputClaims>
<DisplayClaims>
<DisplayClaim ClaimTypeReferenceId="phoneNumberString" />
<DisplayClaim DisplayControlReferenceId="phoneVerificationControl" />
</DisplayClaims>
</TechnicalProfile>
<TechnicalProfile Id="MFA-GenerateCode">
<DisplayName>Generate Code</DisplayName>
<Protocol Name="Proprietary" Handler="Web.TPEngine.Providers.OneTimePasswordProtocolProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null" />
<Metadata>
<Item Key="Operation">GenerateCode</Item>
<Item Key="NumRetryAttempts">5</Item>
<Item Key="ReuseSameCode">true</Item>
</Metadata>
<InputClaims>
<InputClaim ClaimTypeReferenceId="userPhoneNumber" PartnerClaimType="identifier" />
</InputClaims>
<OutputClaims>
<OutputClaim ClaimTypeReferenceId="verificationCode" PartnerClaimType="otpGenerated" />
</OutputClaims>
</TechnicalProfile>

Can RDP and attach debugger, MSVSMON.exe is running, but can't step-into cloud-environment web-role from my unit-test

I have a running WCF web role on Azure (not ASP.NET hosted!). I've seen many tutorials, tried many of them, and saw many SO questions - none of them seem to match my specific situation:
I'm able to connect with RDP
I see the MSVSMON.exe process in the host
I can attach to any process via VS2013-Update4 Server Explorer -> Instance -> Attach Debugger... (which process is the host, btw?)
The service works: tested with unit-test with the remote service reference
Disabled firewall - still no luck
I currently use Azure SDK 2.5
But when I try to Step Into from my unit-test, it says A remote operation is taking longer than expected and then: Unable to automatically step into the server. Connecting to the server machine '*.cloudapp.net' failed. The Microsoft Visual Studio Remote Debugging Monitor (MSVSMON.EXE) does not appear to be running on the remote computer. This may be because a firewall is preventing communication to the remote computer. Please see Help for assistance on configuring remote debugging.
What am I missing?
The csdef file:
<?xml version="1.0" encoding="utf-8"?>
<ServiceDefinition name="MyServiceWebRole.Azure" xmlns="http://schemas.microsoft.com/ServiceHosting/2008/10/ServiceDefinition" schemaVersion="2014-06.2.4">
<WebRole name="MyServiceWebRole" vmsize="Small">
<Sites>
<Site name="Web">
<Bindings>
<Binding name="Endpoint1" endpointName="Endpoint1" />
</Bindings>
</Site>
</Sites>
<Endpoints>
<InputEndpoint name="Endpoint1" protocol="http" port="80" />
</Endpoints>
<ConfigurationSettings>
<Setting name="Variable_1" />
<!-- ... -->
<Setting name="Variable_N" />
</ConfigurationSettings>
<Imports>
<Import moduleName="RemoteAccess" />
<Import moduleName="RemoteForwarder" />
</Imports>
</WebRole>
</ServiceDefinition>
The Cloud.cscfg file:
<?xml version="1.0" encoding="utf-8"?>
<ServiceConfiguration serviceName="MyServiceWebRole.Azure" xmlns="http://schemas.microsoft.com/ServiceHosting/2008/10/ServiceConfiguration" osFamily="4" osVersion="*" schemaVersion="2014-06.2.4">
<Role name="MyServiceWebRole">
<Instances count="1" />
<ConfigurationSettings>
<Setting name="Microsoft.WindowsAzure.Plugins.RemoteAccess.Enabled" value="true" />
<Setting name="Microsoft.WindowsAzure.Plugins.RemoteAccess.AccountUsername" value="***" />
<Setting name="Microsoft.WindowsAzure.Plugins.RemoteAccess.AccountEncryptedPassword" value="***" />
<Setting name="Microsoft.WindowsAzure.Plugins.RemoteAccess.AccountExpiration" value="2016-10-01T23:59:59.0000000+03:00" />
<Setting name="Microsoft.WindowsAzure.Plugins.RemoteForwarder.Enabled" value="true" />
<Setting name="Variable_1" value="Variable_1_Value=" />
<!-- ... -->
<Setting name="Variable_N" value="Variable_N_Value" />
</ConfigurationSettings>
<Certificates>
<Certificate name="Microsoft.WindowsAzure.Plugins.RemoteAccess.PasswordEncryption" thumbprint="***" thumbprintAlgorithm="sha1" />
</Certificates>
</Role>
</ServiceConfiguration>

Thinktecture Identity Server HRD for two Client APP and different Return URL

I have followed this article Using IdSrv2 as IP-STS with membership store and can work fine on my first client App with returnurl: abc.com/a.aspx in one of the Relying Parties & Resources.
For my scenario I just want to create a Identity Provider I created. this is because I don't want to show all of the Idendity providers that I created in the HRD page just want to show my IDP and the other idnetity services from social network(facebook, google+, etc.) .
but I met it always return to the abc.com/a.aspx when I login to my second client app.is there any solution to solve my problem ?
I have created the setup that I believe you are trying to achieve. So I have Portal1 and Portal2. Both portals are set to authenticate users agains idsrv2 (thinktecture identityserver) and are set to use HRD. Idsrv2 is set to delegate authentication of users through HRD to idsrv (thinktecture identityserver).
The configuration of Portal1 web.config (only the important part) is
<system.identityModel>
<identityConfiguration>
<audienceUris>
<add value="https://localhost/Portal1/" />
</audienceUris>
<issuerNameRegistry type="System.IdentityModel.Tokens.ValidatingIssuerNameRegistry, System.IdentityModel.Tokens.ValidatingIssuerNameRegistry">
<authority name="http://idsrv2">
<keys>
<add thumbprint="BCD339ECD62BC50DEDA3B54D2236D12AE1217687" />
</keys>
<validIssuers>
<add name="http://idsrv2" />
</validIssuers>
</authority>
</issuerNameRegistry>
<!--certificationValidationMode set to "None" by the the Identity and Access Tool for Visual Studio. For development purposes.-->
<certificateValidation certificateValidationMode="None" />
</identityConfiguration>
</system.identityModel>
<system.identityModel.services>
<federationConfiguration>
<cookieHandler requireSsl="false" />
<wsFederation passiveRedirectEnabled="true" issuer="https://localhost/idsrv2/issue/hrd" realm="https://localhost/Portal1/" requireHttps="false" />
</federationConfiguration>
</system.identityModel.services>
And configuration of Portal2 (also important parts only) is:
<system.identityModel>
<identityConfiguration>
<audienceUris>
<add value="https://localhost/Portal2/" />
</audienceUris>
<issuerNameRegistry type="System.IdentityModel.Tokens.ValidatingIssuerNameRegistry, System.IdentityModel.Tokens.ValidatingIssuerNameRegistry">
<authority name="http://idsrv2">
<keys>
<add thumbprint="BCD339ECD62BC50DEDA3B54D2236D12AE1217687" />
</keys>
<validIssuers>
<add name="http://idsrv2" />
</validIssuers>
</authority>
</issuerNameRegistry>
<!--certificationValidationMode set to "None" by the the Identity and Access Tool for Visual Studio. For development purposes.-->
<certificateValidation certificateValidationMode="None" />
</identityConfiguration>
</system.identityModel>
<system.identityModel.services>
<federationConfiguration>
<cookieHandler requireSsl="false" />
<wsFederation passiveRedirectEnabled="true" issuer="https://localhost/idsrv2/issue/hrd" realm="https://localhost/Portal2/" requireHttps="false" />
</federationConfiguration>
</system.identityModel.services>
Now, configuration of idsrv (the parts I believe are important):
And finally the configuration of idsrv2:
And last the network flow when authenticating on Portal1

log4net security context can't find domain

I have a config file to log to a SQL server database.
The logging works fine when I use a sql account, but I need to use a windows account to access the database. Thus I changed the config file to include SecurityContext.
<appender name="AdoNetAppender" type="log4net.Appender.AdoNetAppender">
<bufferSize value="1" />
<connectionType value="System.Data.SqlClient.SqlConnection, System.Data, Version=1.0.3300.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" />
<connectionString value="data source=SERVER;initial catalog=DB;integrated security=false;persist security info=True" />
<securityContext type="log4net.Util.WindowsSecurityContext">
<domain value ="DOMAIN"/>
<userName value="USER" />
<password value="PASSWORD" />
</securityContext>
But this does not work. I turned on the internal logging and to my surprise I get
log4net:ERROR XmlHierarchyConfigurator: Cannot find Property [domain] to set object on [log4net.Util.WindowsSecurityContext]
But I have defined domain in the securityContext. Why does it not recognize my domain?
After encountering the same problem, I found it's most likely the solution is in renaming the property domain to domainName. For future reference:
<appender name="AdoNetAppender" type="log4net.Appender.AdoNetAppender">
<bufferSize value="1" />
<connectionType value="System.Data.SqlClient.SqlConnection, System.Data, Version=1.0.3300.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" />
<connectionString value="data source=SERVER;initial catalog=DB;integrated security=false;persist security info=True" />
<securityContext type="log4net.Util.WindowsSecurityContext">
<domainName value="DOMAIN" />
<userName value="USER" />
<password value="PASSWORD" />
</securityContext>
</appender>